Bug 64493 (CVE-2004-1234) - VUL-0: CVE-2004-1234: recent ELF path error fix also fixes a DoS
Summary: VUL-0: CVE-2004-1234: recent ELF path error fix also fixes a DoS
Status: RESOLVED FIXED
Alias: CVE-2004-1234
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Hubert Mantel
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-1234: CVSS v2 Base Score: 2....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-23 18:53 UTC by Sebastian Krahmer
Modified: 2021-10-27 11:37 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
binfmt_aout_do_brk_fix_24.patch (1.56 KB, patch)
2005-01-04 21:30 UTC, Marcus Meissner 		Details | Diff
binfmt_aout_do_brk_fix.patch (1.52 KB, patch)
2005-01-04 21:32 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2004-12-23 18:53:43 UTC 
Date: Wed, 22 Dec 2004 12:08:29 -0200
From: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
To: Mark J Cox <mjc@redhat.com>
Cc: vendor-sec@lst.de
Subject: Re: [vendor-sec] 2.4 load_elf_binary error path flaw

On Tue, Dec 21, 2004 at 01:19:44PM +0000, Mark J Cox wrote:
> Chris fixed a flaw found by Kirill Korotaev on April 9th 2004.
> http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ
> Therefore it affects <2.4.26
> 
> Anyway it got reported to us with a reproducer that can cause a crash, 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142965
> 
> So since we're going to fix it and it's now a proven local DoS I've 
> assigned it CAN-2004-1234

The recent binfmt_aout v2.6 backport changes also fix a DoS:

ChangeSet@1.1527.1.13, 2004-12-16 16:06:31-02:00, chrisw@osdl.org
  [PATCH] a.out: error check on set_brk
                                                                                
  It's possible for do_brk() to fail during set_brk() when exec'ing and
  a.out.  This was noted with Florian's a.out binary and overcommit set to
  0.
                                                                                
  Capture this error and terminate properly.

ChangeSet@1.1527.1.16, 2004-12-17 21:45:58-02:00, chrisw@osdl.org
  [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error
rather than BUG().
                                                                                
  Backport of 2.6 fix to insert_vm_struct to make it return an error
  rather than BUG().  This eliminates a user triggerable BUG() when user
  created a large vma that overlapped with arg pages during exec (could be
  triggered with a.out on i386 and x86_64 and elf on ia64).
                                                                                
  Signed-off-by: Chris Wright <chrisw@osdl.org>
Comment 1 Sebastian Krahmer 2004-12-23 18:53:43 UTC 
<!-- SBZ_reproduce  -->
I dont know whether we included this, so I added it here
for clarification. Might be that it can be closed soon if we include it.
I was concerned about the word *also* in his mail.
Comment 2 Hubert Mantel 2004-12-23 18:55:52 UTC 
Where can I get the fix he is talking about? Those bk numbers do not mean
anything to me...
Comment 3 Sebastian Krahmer 2004-12-23 19:28:13 UTC 
This was the mail as we got it. No link to the patches. One has
to ask either him or kernel folks. I thought 'ChangeSet@1.1527.1.13'
is something unique within the newest kernel tree.
Comment 4 Marcus Meissner 2005-01-04 21:30:52 UTC 
Created attachment 27381 [details]
binfmt_aout_do_brk_fix_24.patch

this is from 2.4 bitkeeper:

http://linux.bkbits.net:8080/linux-2.4/cset%401.1527.1.13?nav=index.html|src/.|src/fs|related/fs/binfmt_aout.c
Comment 5 Marcus Meissner 2005-01-04 21:32:07 UTC 
Created attachment 27382 [details]
binfmt_aout_do_brk_fix.patch

this the same fix from 2.6 mainline:

http://linux.bkbits.net:8080/linux-2.6/cset%401.2034.36.23?nav=index.html|src/.|src/fs|related/fs/binfmt_aout.c
Comment 6 Marcus Meissner 2005-01-04 21:33:04 UTC 
andrea, some memory management do_brk magic fixes from mainline 2.4/2.6 
kernels.... can you have a brief look at how they interact with the do_brk() 
fixes...
Comment 7 Marcus Meissner 2005-01-04 21:33:27 UTC 
the overlapping VMA problem was fixed already by us I think
Comment 8 Marcus Meissner 2005-01-13 19:28:10 UTC 
a_out fixes have CAN-2004-1074 
 
vm overlap fixes have CAN-2005-0003
Comment 9 Hubert Mantel 2005-01-13 23:21:09 UTC 
I'm puzzled by this report now. Is there any action required?
Comment 10 Marcus Meissner 2005-01-13 23:49:39 UTC 
aout stuff is fixed in 2.4.   
   
aout stuff is also fixed in 2.6. 
 
so non issue, we got it already.
Comment 11 Thomas Biege 2009-10-13 20:09:03 UTC 
CVE-2004-1234: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)